Cannot make my LDAP configuration to work

Symptoms

  • I am not able to log-in on Jenkins
  • LDAP groups are not recognized by Jenkins
  • In /whoAmI LDAP groups do not appear

Diagnosis/Treatment

  • Pre-conditions:
  • When configuring ldap plugin for first time the login does not work
  • Meanwhile we are testing, the Authorization should be Anyone can do anything. Notice that otherwise an incorrect configuration can make you not able to log-in anymore. See Disable Security.

Set-up the minimum configuration

The idea is configuring the simplest scenario for CloudBees Jenkins and LDAP Server integration.

When working for first time with LDAP plugin you should not configure any field more than the ones represented on the image below. Notice that an incorrect User filter might produce the user not be able to login.

The only options which should be filled are ( red are mandatory and orange optional):

  • a - Server as ldap(s)://<IP_ADDRESS>[:<PORT>] Note: Default TCP and UDP are 389 for ldap and 636 for ldaps. Use :<PORT> if the service is exposed in a different port than defaults ones.
  • b - rootDN ( or <searchbase>)
  • c - User search filter : Depending on your LDAP Server set-up might be three different options which might work - if you don’t know how your LDAP tree is configured, then you might want to test all of them.
  • cn={0}
  • uid={0}
  • sAMAccountName={0} (in case you want to configure LDAP plugin to work with an AD server)
  • d - In the case that the LDAP servers does NOT allow Anonymous binding also Manager DN & password (or <binddn> & <passwd>) are needed.

ldap_validation.png

Validate the LDAP Plugin configuration

After configuring the minimum settings, click on Test LDAP Settings.

ldap_validation.png

Once your configuration is validated, log-in with an “UserX” and browse to http://<JENKINS_URL>/whoAmI/ then validate groups for “UserX” are correctly retrieved.

ldap-whoami.png

If the minimum configuration does not work

Check your connection values with a LDAP Client

LDAP client tools, such as JExplorer, might be useful to validate minimum configuration used to integrate LDAP in Jenkins.

On the other hand, this tool can be used, amongst other things, for validating groups members or for validating specific fields like <binddn> ( manager DN). In the following example, for “exampleUser” as “uid=colin=people,dc=example,dc=com”.

ldap_validation.png

Use ldapsearch

Validate if you can connect to the LDAP Server from the Jenkins Servers with the help of the ldapsearch command line:

ldapsearch -LLL -H ldap://<IP_ADDRESS>:<PORT> -M -b "<searchbase>" -D "<binddn>" -w "<passwd>" "(uid=<userid>)"

Note:
* For testing purposes you will need to install ldapsearch in the same server as Jenkins. For linux, ldapsearch is included within the ldap-utils package.
* Take care to escape special character with \ in case it is necessary.
* For the following commands, in case you want to avoid your password to get discovered, -w "<passwd>" can be replaced by:
* -W, which it will ask you for the password.
* -y ./pass.txt, so /pass.txt contains your credentials.

Examples

Retrieve a full organization
ldapsearch -LLL -H ldap://ldap.example.com:389 -M -D "ou=people,dc=example,dc=com" -b "dc=example,dc=com" -w "pass"`
Retrieve one user
ldapsearch -LLL -H ldap://ldap.example.com:389 -M -D "ou=people,dc=example,dc=com" -b "dc=example,dc=com" -w "pass" uid="exampleUser"

Logging

After configuring minimum set-up for the plugin, to troubleshoot specific issues you could create a LDAP dedicated logs including the following packages:

  • hudson.security = ALL
  • jenkins.security = ALL
  • org.acegisecurity.ldap = ALL
  • org.acegisecurity.providers.ldap = ALL

Tested products/plugins version

The latest update of this article has been tested with:

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.